Post thumbnail
Finally! A Cybersecurity Safety Review Board is a new article by Steve Bellovin and myself at Lawfare. One element of President Biden’s executive order on cybersecurity establishes a board to investigate major incidents involving government computers in somewhat the way that the National Transportation Safety Board investigates aviation disasters. The two of us, among many…
Read More Thoughts on the Executive Order
Post thumbnail
The Supreme Court has ruled in the van Buren case, and there’s a good summary on the EFF’s blog: “The decision is a victory for all Internet users, as it affirmed that online services cannot use the CFAA’s criminal provisions to enforce limitations on how or why you use their service…” As I said at…
Read More Van Buren
Post thumbnail
People sometimes ask me about my recording setup, and I wanted to share some thoughts about recording good learning content. The most important thing I’ve learned is the importance of conceptualizing what you want it to look like. The other thing I’ve learned is that the more expensive gear is usually more expensive for decent…
Read More Recording Lectures
Post thumbnail
There’s an insightful comment, “Everybody has a testing environment. Some people are lucky enough enough to have a totally separate environment to run production in.” Similarly, everybody has both enterprise and product architecture. Some people are lucky enough to be able to design them. I have to say that because “architecture” is much maligned for…
Read More Review: Practical Security ArchitectureThe National Science Foundation is looking for information on needs for datasets, Dear Colleague Letter: Request for Information on the specific needs for datasets to conduct research on computer and network systems. A draft of my responses is on Google Docs. Comments are due Friday at 5 PM EST. (I thought I’d posted this earlier.)
Read More NSF Wants Data on Your Data Needs
Post thumbnail
Threat model Thursday is not just back, but live again! This week is my Using Threat Modeling to Improve Compliance at RSAC 2021. The video replay is available if you have an RSA pass, and the slides are available to all.
Read More Using Threat Modeling to Improve Compliance (TM Thursday)
Post thumbnail
The Colonial Pipeline shutdown story is interesting in all sorts of ways, and I can’t delve into all of it. I did want to talk about one small aspect, which is the way responders talk about Darkside. Blog posts from Sophos and Mandiant seem really useful! Information sharing is working, and what the heck does…
Read More Colonial Pipeline, Darkside and Models“AppSec Pacific Northwest Conference is a free application security conference that will be held Saturday, June 19th. It is a virtual, online event sponsored by the OWASP chapters of Portland, Vancouver, and Victoria. We love to see brand new speakers, seasoned speakers and everyone in between. Their call for presentations is now open.
Read More Pacific Northwest Appsec Conference
Post thumbnail
So there’s some good news and some bad news in this story: Too Bad, Zuck: Just 4% of U.S. iPhone Users Let Apps Track Them After iOS Update. The good news is that, given a choice, 96% of Americans don’t accept targeted ads. I’m sure that the advertisers will accept that, move on, and not…
Read More Tracking Company Says 96% of iPhone Users Block TrackingApple has released (or I’ve just come across) a document Device and Data Access when Personal Safety is At Risk. Apple makes it easy to connect and share your life with the people closest to you. What you share, and whom you share it with, is up to you — including the decision to make…
Read More Apple Guidance on Intimate Partner Surveillance